Hazard Token Grabber: Upgraded version of Stealer Targeting Discord Users

Cyble Research Labs has come across a new strain of malware performing stealing activities named Hazard Token Grabber. The initial version of Hazard Token Grabber was spotted in the wild in 2021, and we have observed an upgraded version now, which Threat Actors (TAs) are using to steal the user’s data. Both versions are available on GitHub for free.

During our OSINT threat hunting exercise, we came across over 2000 Samples related to this stealer present in the wild. Most of the samples seen in the wild are the actual Python source code of the malware used for compiling the binary, indicating that the malware has been used on a large scale. Interestingly few of the samples had either low or even zero detection.

As per the statement made by the Threat Actor (TA), it appears that an upgraded version of Hazard Stealer can be accessed by purchasing it on their Discord server or website. This indicates that the malware present on GitHub might not be that evasive, and the TA has only uploaded it there for advertisement purposes. Figure 1 shows the statement made by the Threat Actor.

Statement made by TA
Figure 1 – Statement made by TA

The number of samples related to Hazard stealer has increased significantly in the last three months, as shown below.

Stats of the sample submission in VirusTotal
Figure 2 – Stats of the sample submission in VirusTotal

The figure below shows the file details of one of the recent samples we analyzed.

File Details
Figure 3 – File Details

Technical Analysis


Hazard Token Grabber is developed using Python, and the builder of this stealer supports Python version 3.10. The builder is a simple batch file that helps generate the payload and convert malicious Python script to a .exe file using Pyinstaller.

Hazard builder
Figure 4 – Hazard builder


The malware exfiltrates the data to a Discord channel using webhooks which can be modified through the configuration settings. The malware configuration also contains Flag variables and a list of programs to terminate during execution, as shown below.  

File Configuration
Figure 5 – File Configuration

The malware copies itself into the startup location to establish persistence and creates a random directory in the %temp% to store the stolen data.

Creating a folder in the Temp directory
Figure 6 – Creating a folder in the Temp directory

Upon execution, the stealer checks the configuration settings and creates a list to append the function names whose flag is set to TRUE. After this, the malware creates a thread for each function present in the list to execute the malicious code parallelly.

Figure 7 – Multithreading


The malware performs various checks to prevent debugging and terminates itself if malware is being debugged. The malware has a list of a few hardcoded values such as hardware ID, PC names, and usernames to exclude them from infection. The figure below shows the hardcoded lists

Anti-debug check
Figure 8 – Anti-debug check

The malware also checks for the disk size of the victim’s system. If it’s below 50GB, it terminates itself. It then reads the following registry keys for identifying the Virtual environment.


HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Class\\{4D36E968-E325-11CE-BFC1-08002BE10318}\\0000\\DriverDesc 2> nul”)

HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Class\\{4D36E968-E325-11CE-BFC1-08002BE10318}\\0000\\ProviderName 2> nul”)

Query registry
Figure 9 – Query registry

Data Harvesting:

The malware then proceeds to scan for the presence of a Discord token protector, something that protects Discord tokens from malicious grabbers. To evade this, the malware checks for the presence of certain files such as DiscordTokenProtector.exe, ProtectionPayload.dll, and secure.dat. If these filesare present in the DiscordTokenProtector directory, the malware removes them. After this, the malware also modifies the config.json file present in the DiscordTokenProtector directory to bypass the token protector. 

Bypassing DiscordTokenProtector
Figure 10 – Bypassing DiscordTokenProtector

The Hazard token grabber then bypasses the BetterDiscord by replacing the string ‘api/webhooks’ with ‘RdimoTheGoat,’ as shown below.

Bypassing BetterDiscord
Figure 11 – Bypassing BetterDiscord

Using the subprocess module, the malware spawns PowerShell for fetching the Windows activation key and product name by querying registry keys shown in the figure below. The malware then steals this data for exfiltration. 

Figure 12 – Spawning PowerShell

This malware targets over 20 applications with the express purpose of stealing Discord tokens which include:

Discord, DiscordCanary, Lightcord, DiscordPTB, Opera, OperaGX, Amigo, Torch, Kometa, Orbitum, CentBrowser, 7Star, Sputnik, Vivaldi, ChromeSxS, Chrome, EpicPrivacyBrowser, Microsoft Edge, Uran, Yandex, Brave, Iridium and Mozilla Firefox.

This grabber steals cookies and login credentials from the chrome browser only. The stolen credentials contain Domain, Username, and Password. The stolen data is saved in a text file which will be copied to the random folder created initially.

Stealing data from Chrome browser
Figure 13 – Stealing data from Chrome browser

The malware uses the API hxxps[:]// and appends a Discord authorization token to identify Account information, such as email, mobile, and billing-related details. It also identifies the badge associated with the Discord account and writes all the harvested information into “Discord Info.txt”, as depicted below.

Harvesting data using discord developer's API
Figure 14 – Harvesting data using discord developer’s API

The Hazard token grabber reads the following registry key:

SOFTWARE\Roblox\RobloxStudioBrowser\ -Name .ROBLOSECURITY

to steal the Roblox studio cookie and writes the stolen data to the “Roblox Cookies.txt” file.

Stealing Roblox Studio Cookies
Figure 15 – Stealing Roblox Studio Cookies

Data Exfiltration:

Hazard token grabber sends a request to hxxps[:]//ipinfo[.]io/json to identify the victim’s IP and Location. It also finds the victim’s Google Maps Location. The malware does not write this data to a file but instead sends this as a message on Discord.

Finally, the malware compresses the stolen data and exfiltrates it using webhooks specified by the TA.

Data Exfiltration
Figure 16 – Data Exfiltration


In the course of our analysis, we witnessed some samples of Hazard Token Grabber, which were fully undetectable. As the stealer is also available on GitHub, it’s possible that other TAs can also utilize its source code to create a variant of this stealer. Hazard stealer has the capability to steal data from multiple applications; however,  considering its specific functionality, the primary target appears to be Discord users.

See Cyble Vision in Action

Our Recommendations:

  • Avoid downloading applications from unknown sources.
  • Use a reputed anti-virus and internet security software package on your connected devices, including PC, laptop, and mobile. 
  • Use strong passwords and enforce multi-factor authentication wherever possible.  
  • Update your passwords periodically.
  • Refrain from opening untrusted links and email attachments without first verifying their authenticity.  
  • Block URLs that could be used to spread the malware, e.g., Torrent/Warez. 
  • Monitor the beacon on the network level to block data exfiltration by malware or TAs. 
  • Enable Data Loss Prevention (DLP) Solution on the employees’ systems. 

MITRE ATT&CK® Techniques  

Tactic Technique ID Technique Name 
Execution  T1204 User Execution 
Defense Evasion T1497.001 Virtualization/Sandbox Evasion: System Checks 
PersistenceT1547.001Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder
Credential Access T1555 
Credentials from Password Stores
  Steal Web Session Cookie
  Steal Application Access Token 
Collection T1113 Screen Capture 
Discovery T1087
Account Discovery
Software Discovery
Process Discovery
System Time Discovery
System Service Discovery
System Location Discovery   
Command and Control T1071Application Layer Protocol 
Exfiltration T1041 Exfiltration Over C2 Channel 

Indicators of Compromise (IoCs):  

Indicators Indicator type Description 
d079bcd90c03088e9c5e77084f8e4c385557db6b 2441f2df1789cfc48a170a7927d73b98d8676a65eb81f3b068e4c76c3b85e77a  
3f4966ec6ecc8973702f32e51eb766dda737f2d0 4ac15d15ff16919a08770265c074e8e89b21c9b61ce6348072aa719e80b5ed06  
083f1d520e8524d778e1c52b4cbdd5986ca6365c 6925d86fdedff2065c33df7806ba231d0d1c8f2d5246f1cad343f37fee54fe29  

Comments are closed.

Scroll to Top